International Journal of Accounting Information Systems

7 (2006) 162 – 166

Discussion

Continuous monitoring of business process controls: A

pilot implementation of a continuous auditing system at
Siemens by Alles, Brennan, Kogan and Vasarhelyi
Discussant's comments
S. Michael Groomer ⁎
Department of Accounting, Kelly School of Business, Indiana University, Bloomington, IN 47405-1701, USA

Received 14 November 2005; received in revised form 14 March 2006; accepted 16 March 2006

1. Introduction

The Continuous Auditing (CA) subject matter has been in the accounting and auditing
literature for at least the last 30 years. Weber (1982) notes three major concurrent auditing
techniques, namely, (1) Integrated Test Facility (ITF), (2) Snapshop/extended record and (3) the
System Control Audit Review File (SCARF). The SCARF technique is analogous to the present-
day concept of Embedded Audit Modules (EAMs). EAMs are the predominant computer audit
technique for facilitating continuous auditing.
While not intended to be exhaustive, early publication regarding continuous auditing can be
found in a number of articles and books. These publications include Perry (1974a,b), Mair et al.
(1976), Porter and Perry (1981), Koch (1981, 1984), Weber (1982), and Skudrna and Lackner
(1981).1 The works of Groomer and Murthy (1989) and subsequently Vasarhelyi and Halper
(1991) are the earliest of the “current day works” on this subject that set out to demonstrate how
continuous auditing could become a reality.
As a sometimes contributor to the literature in this area, I am delighted that the research
involving continuous auditing is moving beyond the discussion and model-building phase to the
development of a pilot implementation in a significant client setting. The work of Alles, Brennan,
Kogan and Vasarhelyi clearly pushes the envelope for what we know about what works and what

⁎ Tel.: +1 812 855 4026.

E-mail address: groomer@indiana.edu.
1
It is likely that Continuous Auditing was first considered as a computer audit technique by personnel at Touche Ross & Co.

1467-0895/$ - see front matter © 2006 Elsevier Inc. All rights reserved.
doi:10.1016/j.accinf.2006.03.005
 S.M. Groomer / International Journal of Accounting Information Systems 7 (2006) 162–166 163

does not work in the arena of continuous auditing. I am hopeful that this pilot work will continue
and expand into a production status.
In the way of direct comments regarding the substance of the paper, I would offer that the
readers of the paper would be well served with a clearly articulated set of objective(s). The authors
have done a nice job with the purpose and motivation, but a clear statement of the objective(s) of
the research would be useful. I might offer the following. The objective(s) of this paper are to (1)
describe the necessary support environment for continuous auditing and the related buy-in by
management, (2) compare two techniques that facilitate continuous auditing, (3) report on a pilot
experiment of continuous auditing at Siemens, and (4) describe some of the issues, problems and
any lessons learned from the pilot.
In order to consider the use of the continuous auditing technique in a client setting, several key
requirements should be present. Below are some of these suggested requirements for employing
continuous auditing.

• The target organization must have highly reliable systems.

• The subject of the audit has suitable characteristics necessary to apply continuous auditing
techniques.
• The auditor must have a high degree of proficiency in information systems, computer
technology, and the subject matter being examined.
• Automated audit procedures will provide most of the necessary audit evidence.
• The auditor must have a reliable means of obtaining the necessary audit evidence so that an
opinion can reached.
• The auditor must have timely access to and control over any audit evidence.
• It is necessary to have a highly placed champion to support the adoption and use of continuous
auditing.

The pilot experiment appears to meet these requirements. Of concern is the need for a highly
placed champion and related organizational support. In addition to the support of IT Audit, the
continued success of this project would seem to depend upon support from top management. If
there is this level of support, the authors should so indicate. Ultimately, the monetary dimensions
of this audit project will contribute substantially to the success or failure of this continuous
auditing initiative.
Tool building and tool availability for continuous auditing is clearly one focus for making
continuous auditing a reality. As a part of this discussion, the authors compare and contrast the
Monitoring and Control Layer (MCL) technique used in the pilot study and the Embedded Audit
Module technique. See Groomer and Murthy (1989) and Continuous Auditing (1999) for a
discussion of EAMs. Regardless of the actual techniques employed, there is

• Substantial effort in building the continuous auditing tools,

• Substantial need for organizational cooperation,
• Limited availability of “off the shelf” packaged tool sets, and
• Little aid and comfort from ERP built-ins like the SAP-AIS.

Moreover, any continuous auditing application will have some measure of intrusion into the
client system. While the authors are correct in claiming that their read only–external data
transport process involving the MCL technique is less “intense” than the use of EAMs, there is
still a need for client involvement and some focus for system intrusion. In response to
164 S.M. Groomer / International Journal of Accounting Information Systems 7 (2006) 162–166

Fig. 1. The CSP-1 sampling plan in the environment of an embedded audit module.
 S.M. Groomer / International Journal of Accounting Information Systems 7 (2006) 162–166 165

implementation concerns, one real answer is to “get into the game” early. That is, consider the
implementation of continuous auditing methods during the systems design process. For any
number of reasons, the selection of an ERP system is an excellent place to focus a pilot study for
continuous auditing.
The IT Audit group at Siemens facilitated this study. This is a natural and logical fit. If this pilot
can be driven to a successful conclusion and there is a decision to move forward with the
Continuous Auditing project, will internal auditing have the necessary staff? The authors might
take the opportunity to mention the concerns for staffing requirements and the need to hire and
retain skilled IT Auditors.
One of the issues raised by the authors in the use of continuous auditing techniques is the
frequency of polling the client's data and the impact of these processes on system performance.
Groomer and Murthy (2003) offer a solution to the impact of continuous auditing on systems
performance with the use of Continuous Sampling. Fig. 1 summarizes the continuous sampling
procedure (see Groomer and Murthy, 2003, p. 9). While the specifics of the entire process of using
continuous sampling is beyond the scope of this discussion, one can see that based upon two
parameters the sampling process begins a 100% (continuous) inspection of control objects. If “i
consecutive transactions” are free from defects, a random selection of “f transactions” are
inspected by the audit module. If an error is noted, 100% inspection is resumed. The result of this
process is to reduce the impact of computationally intensive EAMs or other continuous auditing
techniques on client system performance.
Three final issues are perhaps worthy of discussion. One, the authors indicate they have
concern for the scoring process used to evaluate the results of the audit process. Given the
hierarchical nature of the scoring process utilized, is there a more informative process? I would
offer that the issue needs further study. Two, materiality is a concern for continuous auditing just
as it is for non-continuous audits. One of the issues not raised by the authors is that if a
significant portion (all?) of the population is examined, then there is no need for statistical
inference. For controls, the error rate you observe is the error rate in the population. Three, the
role that continuous auditing is playing in the audit process could be made clearer. For example,
what assertions or audit objectives are being tested and are you testing general or application
controls?
I like this paper. I think the authors have done a great deal to expand what we know about
continuous auditing. Thank you for inviting me to discuss this work.

References

Continuous Auditing. The Canadian Institute of Chartered Accountants and the American Institute of Certified Public
Accountants. Toronto: The Canadian Institute of Chartered Accountants, 1999.
Groomer SM, Murthy US. Continuous auditing of database accounting systems using embedded audit modules. J Inf Syst
1989;3(1):53–69.
Groomer SM, Murthy US. Monitoring high volume transaction processing systems using a continuous sampling approach.
Int J Audit 2003;7:3–19.
Koch HS. Auditing online systems: on-line computer auditing through continuous and intermittent simulation. MIS
Quarterly 1981:29–41 (March).
Koch HS. Auditing online systems: an evaluation of parallel versus continuous and intermittent simulation. Comput Secur
1984:9–19 (February).
Mair WC, Wood DR, Davis KW. Computer Control and Audit. 2nd ed. Altamonte Springs: The Institute of Internal
Auditors; 1976.
Perry WE. Concurrent EDP auditing: an early warning scheme. EDPACS 1974a:1–7 (January).
Perry WE. Concurrent EDP auditing: an implementation approach. EDPACS 1974b:1–6 (February).
166 S.M. Groomer / International Journal of Accounting Information Systems 7 (2006) 162–166

Porter WT, Perry WE. EDP Controls and Auditing. 3rd ed. Belmont, CA: Wadsworth Publishing Company, Inc.; 1981.
Skudrna VJ, Lackner FJ. The implementation of concurrent auditing techniques in advanced EDP systems. EDPACS
1981:1–9 (April).
Weber R. EDP Auditing: Conceptual Foundations and Practice. New York: McGraw-Hill; 1982.
Vasarhelyi MA, Halper FB. The continuous audit of on-line systems. Audit J Pract Theory 1991;10(1):110–25.